In case you were too busy watching your kids open their holiday presents you might have missed a “gift” for you – COSO’s updated internal control framework. During the holiday season the draft was exposed for public comment, so if you haven’t already done so, you might want to get your hands on it and tell COSO what you think, and how it might be further improved.

In looking over the draft you’ll see that the fundamental concepts and structure remain. The definition of internal control, the five components, and the COSO cube are unchanged. So are the three categories of objectives, except that the reporting category is expanded to include all reporting by an entity: financial and non-financial, internal and external. This brings the internal control framework in line with how the reporting category of objectives is defined in COSO’s Enterprise Risk Management—Integrated Framework issued in 2004. Another enhancement in the updated framework is inclusion of what are called “principles” and “attributes” of internal control. The initial framework implicitly reflected the core principles of internal control, whereas the updated version explicitly states the 17 principles, representing the fundamental concepts associated with the components of internal control. Supporting the principles are attributes, representing characteristics associated with the principles. Together the principles and attributes comprise criteria put forth to assist management in designing and developing systems of internal control and assessing its effectiveness.

Other enhancements include:

Emphasis on the increased relevance of technology, focusing on sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across many systems, orga­nizations, processes, and technologies.

Expanded discussion on governance relating to the board of directors and committees, including audit, compensation, and nominating/gover­nance.

Enhanced focus on anti-fraud expectations, with expanded discussion on fraud and the relationship of fraud and internal control.

Reflection of the evolution of different business models and organizational structures, including use of external parties for providing products or services, the increasing competitive landscape, globalization, dynamic industry and technological changes, evolving business models, com­petition for talent, cost management, and other factors that have required man­agement to look beyond internal operations to access needed resources via a shared service model, outsourcing to an external party, spinoff, joint venture, or other approach.

You’ll see the term “ICEFR” (pronounced ice-eh-fer), which is the acronym for internal control over external financial reporting. Because of the importance of the internal control framework for reporting under such requirements as Sarbanes-Oxley, COSO decided to offer a separate guidance document highlighting how the framework can be effectively applied for that purpose. It’s organized around the five internal control components, containing approaches for and examples of their application, with direct linkage to the principles and attributes in the framework. It’s important to keep in mind that the ICEFR guidance is just that, guidance; it will neither replace nor modify the framework. It will be exposed for comment later on this spring.

Well, it’s a case of speak now, or…. If you’re involved in any way with internal control, you’ll want to provide your input on the document. By the way, I’m biased in a positive way – for full disclosure, I was the lead PwC project partner of the team that developed the original Framework, played a similar role with the COSO ERM framework, and advised the project team that developed this updated framework. But you may have different views, and it’s important to make them known. The comment period ends March 31.

We know the Olympus Corp. suffered a major management fraud. Financial statements were manipulated to hide huge losses, resulting in its stock price dropping like a rock and jeopardizing the company’s listing status and indeed existence in its current form. For more on the fraud, you may want to look at my October 15, 2011 blog posting.

Those looking at this fiasco may well be asking why this fraud, which had been going on for more than a decade, wasn’t brought to light any sooner – that is, before newly appointed CEO Michael Woodford began to smell a rat. Well, now it’s come out that one critical element in detecting and possibly preventing fraud at the highest management levels – which is having an effective whisleblowing process – wasn’t in place at Olympus. Sure, they had a process, but now it’s reported that the very executives perpetrating the fraud were in charge of the hotline! It’s said that the company’s internal auditors and other employees wanted the whistleblower system to be run by outside parties, but at least one of the executives alleged to have been driving the fraud objected and won out. According to an independent panel investigating the fraud, the corporate atmosphere was such that the hotline was “significantly disabled.” Is it essential to have the hotline outsourced? No. But it is critical that company personnel feel comfortable that their communications will not come back to haunt them, which is said not to be the case at Olympus.

Much has been written about management fraud, and what internal controls are needed to prevent or detect it. But my experience is that it really comes down to four key factors. One is having a culture of integrity and ethical values, with the “right” tone at the top of the organization and open communication channels. Another is a board of directors (and audit committee) that is independent and providing effective oversight. One more is an effective internal audit function. And then there’s an effective whistleblower process. Based on what’s been reported, Olympus evidently didn’t have any of these big four – we don’t know much about the functioning of its internal audit function, but now learn that the company is suing the former internal auditor along with two other executives who an independent panel said “orchestrated the scheme.” So is it surprising that such a fraud could have existed for so long? In light of its governance, risk management and internal control processes, the answer is “not really.”

When we look at the potential of management fraud, it’s critical to look at these four elements. If even one is missing, the chance of fraud going undetected increases greatly. And no one should proceed with the odds stacked in favor of bad actors.

Solvency II and the need for Operational RiskSince the European Council has postponed the deadline for Solvency II to January 2014, insurance companies have bought themselves more time to prepare for Solvency II. Most insurance companies are already working on the quantitative side of Solvency (Pillar I of the solvency model, capital requirements) but have not started on the qualitative part (Pillar II, Operational Risk). According to visionaires, the biggest risk for insurers is in Operational Risk!

Interesting enough these organizations do not know how to respond to Own Risk Solvency Assessment (ORSA) requirements and the local regulators are not providing much guidance on this. From what I hear from my clients is that they are looking for guidance how to implement Operational Risk for Solvency II. This is where IBM OpenPages can help you. We have done this for many clients already, even in joint effort with business partners in the risk consulting area.

In fact, Operational Risk is no rocket science. Let me guide you through the process that one of my clients has taken.

1. Risk Governance and CultureThis is a reflection of your policies in place to govern your risks, and the risk culture in your organization. My client reviewed how risk awareness was embedded in the daily processes and which policies were in place to manage risks in the business.

2. Risk Identification and PrioritizationMy client conducted workshops guided by a risk expert to identify risks in the current processes and aligned to the strategic business goals. Through the outcome of risk assessments he was able to prioritize risks.

3. Risk response formulation and Control designNow we understand the impact (also called inherent risk exposure) we can start talking about how to create a risk response. Is a risk response needed, can we assure the risk, can we ignore / accept the risk or should we come up with mitigating controls? And of course since risks are not completely new what controls do we already have in place. Compliance and Audit has played an advising role in the formulation of the response and the (re)design of these controls.

4. Risk monitoringHaving the understanding of our risk environment and the outcome of the risk exposure we started developing risk monitoring by reporting, dashboarding and risk analysis. This gives answers to the questions where are we today and how did we get there? Subjects like risk appetite, risk tolerance and risk limits were formulated.

5. Issue and Action ManagementLast step we took to close the loop was answering the question what will we do about it? What actions will be taken by whom and when? A centralized approach to action management was a great relief to our CRO. Main benefit was the ability to provide auditors and the board with an integrated view on all actions and the follow up progress.

Best practice is to start with a single, but simple risk and control framework. Do not try to automate everything in the first phase, keep it simple first and try to get the basic process of risk management running. Once this is done you can start automation in phase II. Only automate where you can benefit from it, where it will save you significant amount of time.

Phase II is really about automating manual processes. With automation I mean workflow in risk and control assessment processes and alerting & notification. For example coming to a final judgment on risk impact and likelihood has been a manual process where only the final result was stored in the system. Next step to get a better qualified result can be the setup of automated questionnaires / voting system where first a decentralized voting will be done and a centralized final verdict will be held in a group workshop. A decentralized first round has proven to give a better and more effective (read shorter) discussion and a better final judgment on the risk assessments. Another example of automation is the collection of losses. Up till now they were kept in Excel sheets and uploaded in the system. Qualifying the categories in which the loss belongs and the validation of the loss can be a time consuming process. Automating this process will help the person registering the loss to make a correct classification and will speed up the process to validate the loss including the assessment of the impact and the recovery.

Phase III is the step to the next maturity level. You have an understanding now how risks and controls are related to each other, so you can bring KRIs (Key Risk Indicators) in place. With these KRIs in place you will have an early warning system available that helps you respond in a timely manner. This will shorten the time to respond to failures and might even prevent a loss from happening. Also non financial risk dashboards and scenario analysis are steps that fit in this next level of maturity. Scenarios can help you to better calculate your capital requirements. Through risk assessments you can get the business input of what losses are likely to happen in the near and longer future. The more sample data you put in your calculations the better the outcome will be.

The last phase is about automating control testing. Here you start looking for control tests that can be done automatically. Especially control tests performed on a frequent basis and performed systematically might be nominated for automation. Examples can be found in General Ledger systems, like samples of invoices that can all be matched with PO numbers or IT tests (endpoint tests) like are all harddisks containing sensitive data encrypted or do all systems have password changed every month.

We know that senior executives, especially chief executive officers, look to drive their organizations’ growth initiatives. Many are hard-driving, proactive, and intently focused on doing what needed to carry out strategic plans. Optimism is a typical trait, which can be contagious in getting others in the organization to work in sync towards established goals. This is what CEOs are charged to do, and a key reason why those who do it successfully get the big bucks.

With that said, experience shows that many CEOs are not sufficiently attentive to what can go wrong – that is, what future events could keep their organizations from successfully carrying out the established initiatives. Of course many CEOs and their C-suite teams do focus on such risks, and their organizations benefit from doing so. One such company is Mazor Robotics, a medical technology company based in Israel, whose CEO Ori Hadomi recently was interviewed. He makes a number of interesting observations, one of which is especially insightful – describing risk management in a particularly understandable and compelling way. He associates risk management with ensuring there’s a devil’s advocate involved in key decision-making.

He says: “One of the most obvious mistakes we found is that too often we choose to believe in an optimistic scenario — we think too positively. Positive thinking is important to a certain extent when you want to motivate people, when you want to show them possibilities for the future. But it’s very dangerous when you plan based on that. So one of our takeaways from that was to appoint one of the executive members as a devil’s advocate.” Hadomi expands on how that works, emphasizing that the assigned executive knows the right questions, and asks them in challenging assumptions and pointing out a need to be “more humble with our assumptions.” Hadomi notes that the most surprising thing is that this devil’s advocate is the V.P. of sales for international markets: “You would expect the V.P. of sales to be pie-in-the-sky all the time. But he has a very strong, critical way of thinking, and it is so constructive,” adding that one of the pitfalls of leadership is “thinking too positively when you plan and set expectations.”

I’ve worked with many large companies, and certainly smaller company executives learn from them. But the reverse also is true. In this case, the CEO of Mazor Robotics provides useful insight into how risk management can be effectively conceptualized and applied. Of course, there’s much more to risk management, including capturing the identified risks, analyzing them, and managing them with accountability for needed actions, follow up, etc. But the concept of a devil’s advocate is powerful, especially for executives who may be struggling with what risk management is about.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.